Sage Ransomware Removal Guide

Do you know what Sage Ransomware is?

Sage Ransomware is a malicious application that locates specific folders on the computer and encrypts data on them with a secure cryptosystem called RSA-4096. The whole purpose of creating or distributing such an infection is to find victims who would be willing to pay a ransom. In this case, the cyber criminals demand users to pay 0.12621 BTC which is around 100 US dollars at the moment of writing. Of course, if you do not want to put up with such demands, you do not have to pay. We would not recommend doing so either because paying a ransom is always risky. Instead, we would advise you to eliminate Sage Ransomware with our removal guide placed below or with a trustworthy security tool. However, if you do not want to make any rash choices, we urge you to read the article and learn more about the malware.

Firstly, it is necessary to mention that Sage Ransomware might be spread via malicious email attachments, so users should be extremely careful with any suspicious data sent through email. Whenever you have any doubts, it is better to either avoid opening questionable files or check them with a reliable antimalware tool. For instance, potentially malicious email attachments could be files that arrive unexpectedly, are sent by someone you do not know, have random names, and so on. Considering the damage you might receive after launching ransomware, we believe it is better to be careful than regret it later.

As soon as users open the malware’s installer, Sage Ransomware may place an executable file (e.g. mEih6DMY.exe) in the %APPDATA% directory. Then, the threat should locate data placed in the %USERPROFILE% directory and its subfolders. Additionally, the malicious application may encrypt files in the %HOMEDRIVE% location, although it does not target its subfolders. The rest of the data placed in any other folder should remain in the same state it was before the computer got infected. As you realize, the amount of damage you receive depends on where you keep the most precious files. For instance, if they are not even on the C disk, the malware cannot harm them.Sage Ransomware Removal GuideSage Ransomware screenshot
Scroll down for full removal instructions

After encrypting targeted data, Sage Ransomware should change the user’s background picture with an image it places in the %TEMP% directory, e.g. Rzdv2a.bmp. Then it may put a couple of ransom notes in the %USERPROFILE%\My Documents, %TEMP%, and Desktop folders. These files should be in .txt and .html formats, but the provided information is supposed to be more or less identical. It explains what happened to your data, names the price you are expected to pay for the decryption and gives detailed instructions on how to transfer the money.

The cyber criminals might urge you to pay the ransom or even threaten to raise it if you do not make the payment on time, but if you do not want to risk losing any savings, there is another option. We would advise users recreate files from copies, provided that there are any copies somewhere else besides the infected device. Also, it would be best for the system to get rid of the infection. Users can do this manually if they follow the removal guide placed a little below this text. Clearly, the task might be rather difficult since the malware is a serious threat. Nevertheless, if you feel like manual deletion is too complicated, you can erase the malicious program with a trustworthy antimalware tool too. If you have any questions about Sage Ransomware, do not hesitate to contact us via social media or leave a message here.

Erase Sage Ransomware

  1. Open the Explorer by pressing Windows Key+E.
  2. Navigate to the Desktop, Downloads, Temporary Files, and other directories where you might have downloaded the malicious file.
  3. Right-click the infected file and select Delete.
  4. Go to %APPDATA% and find another malicious file with a random name and right-click it to select Delete.
  5. Look for this path: %ALLUSERSPROFILE%\Start Menu\Programs\Startup
  6. Find a suspicious shortcut with a random name, right-click it and press Delete.
  7. Remove ransom notes from the following locations: Desktop, %USERPROFILE%\My Documents, and %TEMP%
  8. Empty the Recycle Bin.

In non-techie terms:

Unfortunately, Sage Ransomware is not a program you could easily uninstall via Control Panel. This threat enters the system without the user's consent, and it places various files with random titles in a few different folders. Its primary task is to target particular locations where you could be keeping valuable data and encrypt such data so you would no longer have access to it. Consequently, the malware displays a note from the cyber criminals in which they promise to restore the locked data if users pay the ransom. Needless to say that there are no guarantees and so we would not advise doing so. If you do not think it is a good idea either, we suggest you delete the threat with our removal guide placed above or with a trustworthy security tool.